I'm looking for convincing arguments - or being told it does not matter - to why a client of ours should not be creating DMZ vlans on an internal Cat-6509.
So the basic topology is a 6509 in a DC and 2x ASA-5510 in active/standby. They have finally agreed to start utilizing DMZs for various services but since they have no other switch at the DC they are currently happy to have these DMZ's on separate vlans on the 6509.
Is this a security risk? (They are NOT using the 6509 as an 'outside' switch so that is something I suppose)
How can the risk be mitigated?
How could their environments be compromised?
Any suggestions appreciated. Thanks in advance,
I dont see a problem with this setup as long as:
1). External / DMZs are LAYER2 ONLY! Use a security device to handle all LAYER3 (Firewall, FWSM, etc...)
2). You disable proxy arp on ALL layer 3 interfaces on the switch.
3). You dont give anyone access to the switch unless they know what they are doing (understand the implications of having mixed traffic on the switch)
4). You configure a bogus vlan, make sure everyone knows what it is (put a name in it and document it), and make that the default vlan for your switchports.
5). You turn off trunk negotiation (all ports should be configured "switchport mode trunk or switchport mode access" and also "switchport nonegotiate". If you use 802.1q (or isl - ugh), explicitly define the vlans that are allowed to pass "switchport trunk allowed vlan x,y"
6). Use VTP transparent and dont trunk external vlans to other switches unless you know what you are doing.
The most important is probably #3. One misplaced layer 3 interface or SVI, and game over, you just bridged the Internet to your internal network. I can't stress enough that while this is possible, and secure if done properly, it is VERY dangerous if you dont know what you are doing. Some would consider this too high of a risk to take, and believe in physical separation to eliminate the risk. I happen to agree, however, I understand that not all of us can afford to buy multiple 6500s.
Another thing to consider, have you thought of using VRF-Lite?